Generate SCAP

Caution

Always use the branch matching your target OS version. Do not use the main branch for workflow or development.

To generate SCAP, OVAL, or XCCDF documents, use the generate_scap.py script.

1. List available baselines:
   ./scripts/generate_scap.py -l
2. Generate SCAP 1.3 document for all baselines:
   ./scripts/generate_scap.py
3. Generate only XCCDF or OVAL:
   ./scripts/generate_scap.py -x(XCCDF)
   ./scripts/generate_scap.py -o(OVAL)
4. Generate for a specific baseline:
   ./scripts/generate_scap.py -b stig -x

Note

The script detects baselines as tags listed in rule files under rules/ and custom/ folders.

• Directory

  build/

  • [generated SCAP/XCCDF/OVAL files]
• Directory

  rules/

  • [rule files with baseline tags]
• Directory

  custom/

  • [custom rule files with baseline tags]
• Directory

  scripts/

  • generate_scap.py

Example Output:

➜  macos_security git:(sequoia) ./scripts/generate_scap.py
./scripts/generate_scap.py -l
800-171
800-53r4_high
800-53r4_low
800-53r4_moderate
800-53r5_high
800-53r5_low
800-53r5_moderate
800-53r5_privacy
cis_lvl1
cis_lvl2
cisv8
cnssi-1253
stig
➜  macos_security git:(ventura) ./scripts/generate_scap.py -b stig -x

This generates an XCCDF document in the build folder for just the stig baseline.

SCAP References

Security Content Automation Protocol (SCAP) 1.3

Note

That page has links to most of the SCAP-related normative documents.

An SCAP data stream (typically) consists of several XML documents knit together in a containing XML document. The component documents are:

• An XCCDF document
• An OVAL document referenced by the XCCDF document
• An OCIL document referenced by the XCCDF document
• A CPE dictionary document referenced by the XCCDF document
• An OVAL document referenced by the CPE dictionary document

National Checklist Program for IT Products Guidelines for Checklist Users and Developers

National Checklist Program Repository